In the CloudFormation template, the developer should create a parameter with the list of approved EC2 instance types as AllowedValues. This way, users can select the instance type they want to use when launching the CloudFormation stack, but only from the approved list.

The correct answer is B because when an IAM role is attached to an Amazon EC2 instance through an instance profile, changes to the permissions policy for that role propagate automatically to applications that use the instance role credentials. This is the least disruptive approach because the developer does not need to restart, hibernate, terminate, or replace the EC2 instance.

AWS documentation explains that applications running on EC2 can obtain temporary security credentials from the instance metadata service for the attached IAM role. When the IAM policy attached to that role is updated to allow Amazon S3 read access , new temporary credentials issued for the role will reflect the updated permissions. This makes it possible to correct the access issue without changing the application deployment model or interrupting the running instance.

Option A is unnecessary because terminating and relaunching the instance causes avoidable disruption. Option C is also unnecessary because hibernation and restart are not required for IAM policy changes to take effect. Option D is not the best answer because although bucket policies can grant access, the issue identified is specifically that the instance role lacks S3 read permission , and restarting the instance is still unnecessary.

The AWS best-practice approach is to grant the required permission directly to the IAM role used by the EC2 instance. This keeps authorization centralized and lets the running application continue using temporary role credentials with minimal operational impact.

Therefore, the solution with the least application disruption is to add the S3 read permission to the IAM role , making B the correct answer.

AWS Secrets Manager is a service that allows you to store and manage secrets, such as database credentials, API keys, and passwords, in a secure and centralized way. It also provides features such as automatic secret rotation, auditing, and monitoring1. By using AWS Secrets Manager, you can avoid hardcoding credentials in your code, which is a bad security practice and makes it difficult to update them. You can also replicate your secrets to another Region, which is useful for disaster recovery purposes2. To access your secrets from your application, you can use the ARN of the secret, which is a unique identifier that includes the Region name. This way, your application can use the appropriate secret based on the Region where it is deployed3.

AWS Secrets Manager

Replicating and sharing secrets

Using your own encryption keys

The requirement is to redact PII before the object content reaches the consumer, while the analytics service continues to use standard S3 GET requests. The most operationally efficient way is Amazon S3 Object Lambda.

S3 Object Lambda lets you add your own code to process and transform data as it is retrieved from S3. Instead of the analytics service reading directly from the bucket, it reads through an S3 Object Lambda Access Point. When the service performs a GET request, S3 invokes the associated Lambda function, which can modify the object payload on the fly—for example, by calling an external or internal PII redaction API and returning a redacted version of the report. The original object remains unchanged in the bucket, while consumers receive the transformed (redacted) response.

This approach is operationally efficient because it avoids:

duplicating and storing redacted copies of every report,

refactoring the analytics service to use a different datastore or ingestion path,

building a separate proxy service layer.

Option A requires significant refactoring and ongoing ETL/warehouse ops.

Option C provides confidentiality via encryption but does not perform redaction (analytics would still see PII after decryption).

Option D changes the access pattern completely (analytics no longer uses GET) and adds messaging complexity without directly returning redacted object content.

Therefore, S3 Object Lambda + Object Lambda Access Point is the most efficient solution to redact data at retrieval time.

When a Lambda function is configured to run inside a VPC, it receives ENIs in the selected subnets and uses those subnets’ routing to reach other networks. If the function is placed in private subnets (common when it needs to access an RDS database in private subnets), it typically does not have a direct route to the internet. As a result, outbound calls to public external APIs will fail unless the VPC provides a controlled egress path.

The standard AWS networking pattern for private-subnet internet access is a NAT gateway (or NAT instance) deployed in a public subnet , with a route from the private subnet(s) to the NAT gateway (0.0.0.0/0 → NAT). The NAT gateway then uses an internet gateway attached to the VPC to reach the public internet while keeping the Lambda function (and the RDS database) in private address space. This resolves the connectivity issue while maintaining the security posture of private subnets.

Option A is not the solution: Lambda automatically provisions ENIs for VPC-enabled functions; manually provisioning an ENI does not provide internet access. Option C (security group outbound rules) is necessary but not sufficient—security groups control allowed traffic, but without a proper route to the internet (via NAT), the packets still cannot reach external endpoints. Option D (gateway VPC endpoint) is for AWS services like S3 and DynamoDB (gateway endpoints), not for arbitrary public internet APIs, and “in a public subnet” is not how gateway endpoints are used; they are associated with route tables.

Therefore, the correct solution is B : add a NAT gateway in a public subnet and update private subnet route tables so the new Lambda function can reach external public APIs while still accessing the private RDS database.

To ensure a Lambda function URL is reachable only through CloudFront, the solution must (1) make CloudFront the only authorized caller, and (2) prevent direct public access to the function URL endpoint. The AWS-native way to do this is to use a resource-based policy on the Lambda function that permits invocation only from the specific CloudFront distribution, combined with CloudFront’s Origin Access Control (OAC) to sign origin requests.

A Lambda function URL can be configured for IAM-based authorization, and Lambda supports resource-based permissions (via lambda:AddPermission) that restrict who can invoke it. By scoping the permission so that only the CloudFront distribution (identified by a source ARN / distribution identifier) is allowed, direct requests that do not come through CloudFront will be rejected. This enforces the requirement that the function URL cannot be accessed directly.

CloudFront OAC is the modern mechanism to securely access origins by having CloudFront sign the requests it sends to the origin. When CloudFront signs requests and the origin (here, the Lambda function URL) is configured to accept only authorized requests per its resource policy, CloudFront becomes the only viable access path.

Option A is incorrect because CloudFront does not use a “resource-based policy” to grant access to an origin in this way; the enforcement must happen at the origin. Option C is not how CloudFront accesses origins; CloudFront does not assume a customer IAM role to fetch origin content. Option D is fragile and not recommended: CloudFront IP ranges can change and are not intended to be used as a static allowlist for origin protection; additionally, IP-based controls do not provide the same strong identity-based authorization that OAC + resource policy provides.

Therefore, B is the correct solution: restrict the Lambda function URL with a Lambda resource-based policy and configure CloudFront with OAC so only CloudFront-originated requests are accepted.

AWS Amplify’s most direct support for GraphQL APIs is through AWS AppSync, and the Amplify CLI can generate and configure an AppSync GraphQL API directly from a schema with minimal setup. The requirement says the API already has an existing GraphQL schema, and the goal is to migrate it with the least configuration effort.

Option D is the simplest: run amplify add api, choose GraphQL, and provide the existing schema. Amplify then provisions the AppSync API, sets up the schema, creates the backend resources (depending on chosen data sources), and wires the configuration into the Amplify project so the SPA can consume the API.

Option A is incorrect because it selects REST and does not align with an existing GraphQL schema.

Option B is incorrect because API Gateway is not the native GraphQL service and would require additional mapping/proxy logic—more configuration.

Option C can be valid if an AppSync API already exists and you want to import it, but the question asks to “migrate the API along with the application” with least configuration. Creating it directly in Amplify is typically less configuration than creating separately and importing.

Therefore, using Amplify CLI to add a GraphQL API and supply the existing schema is the least-config approach.

The X-Ray daemon is a software that collects trace data from the X-Ray SDK and relays it to the X-Ray service. The X-Ray daemon can run on any platform that supports Go, including Linux, Windows, and macOS. The developer can install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service with minimal configuration. The X-Ray SDK is used to instrument the application code, not to capture and relay data. The Lambda function solutions are more complex and require additional configuration.

An Inline Policy is a policy that is embedded directly into an IAM user, group, or role. When you use an inline policy, you maintain a strict one-to-one relationship between the policy and the identity. Since the requirement is to grant a specific " permanent " right to only one specific user within a group without changing the shared group policy, an inline policy attached directly to that individual user is the correct approach.

The sensitive information is appearing because Step Functions logging is including execution data, such as input and output passed between states. Changing the logging level to ERROR or FATAL reduces the categories of events captured but does not specifically prevent sensitive execution payloads from being included when events are logged. Disabling X-Ray tracing does not solve CloudWatch Logs exposure because tracing and logging are separate configurations. The correct CloudFormation change is to set IncludeExecutionData to false in the Step Functions logging configuration. AWS Step Functions documentation states that includeExecutionData determines whether execution data is included in logs, and when it is set to false, that data is excluded. ( AWS Documentation )

===============

Why Option A is Correct:Auto-scaling with a target utilization ensures the DynamoDB table dynamically adjusts capacity based on workload, maintaining high performance while optimizing cost. Setting a reasonable target utilization minimizes overprovisioning and throttling risks.

Why Other Options are Incorrect:

Option B: On-demand capacity is costlier than provisioned throughput for predictable workloads.

Option C: Using manual CloudWatch alarms and Lambda for scaling is less efficient and adds operational overhead.

Option D: DAX accelerates read performance but does not improve write performance.

AWS Documentation References:

DynamoDB Auto Scaling

Requirement Summary:

Secrets managed in AWS Secrets Manager

DB: Amazon RDS for PostgreSQL

Need automated password rotation

Must maintain high availability

Least development effort

Rotation Strategies:

Single-user rotation strategy

Simplest to implement

The secret contains one set of credentials used by app and rotation logic

Supports automated rotation

AWS provides built-in Lambda rotation templates for RDS

A. Alternating-users strategy

⚠️ More complex

Requires application to switch users during rotation window

B. Manual secret + CLI rotation

Too much manual work

Not scalable or reliable

C. Multivalue answer rotation

Not a valid strategy in this context

Doesn’t apply to Secrets Manager

Secrets Manager rotation strategies: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

RDS PostgreSQL secret rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-single-user

Amazon ElastiCache for Redis: An in-memory data store known for extremely low latency, ideal for caching frequently accessed, complex data.

Write-Through Caching: Ensures that data is always consistent between the cache and the database. Writes go to both Redis and RDS.

Performance Gains: Redis handles reads with minimal latency, offloading the RDS database and improving the application ' s responsiveness.